SCCM SUP & WSUS configurations in NLB
Here are the steps we have followed during SCCM SUP & WSUS setup in NLB in production. Please refer the below links for more updated information for WSUS NLB & SUP configuration.
http://technet2.microsoft.com/windowsserver/en/library/b17d7555-81fd-4e32-8e8b-92b4c79221161033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/94d1385f-4872-4c29-8822-3a4ec5e45ae41033.mspx?mfr=true
http://technet.microsoft.com/en-us/library/bb633165.aspx
A sample SCCM SUP configuration in NLB but same can implemented with less hardware based on business requirement
For configuring WSUS as per supported standard we need 1 server for hosting SQLDB & WSUS content and 2 servers for SUP roles at minimum for more than 25K clients in NLB configurations (one SUP server can scale up to 25K clients)
Prior to start with please add all server systems accounts in SCCM primary site and add all service accounts in local admin group.
WSUS DB & content server for SUP
Sample server drive requirements for hosting WSUS DB & content for SUP.
|
DRIVE |
DESCRIPTION |
DIRECTORY/PURPOSE |
|
C |
System |
C:\WINNT; C:\ |
|
D |
SQL and SQL Tools |
D:\MSSQL; D:\SQLTools |
|
E |
User Database Backups |
E:\MSSQL\BAK |
|
F |
Log Backups |
F:\MSSQL\TRAN |
|
G |
Content Location |
G:\WSUS\WSUSContent |
|
H |
Data Files / SUPDB |
H:\MSSQL\DATA |
|
O |
Log Files |
O:\MSSQL\DATA |
|
T |
Tempdb Files |
T:\MSSQL\DATA |
· This is the server that will host the SQL Back-End database and Software Update content for the WSUS service WSUS NLB cluster.
· Create a standard network shared folder that is available to all of the WSUS servers on this server that will be part of the software update point network load balancing cluster to be used as the WSUS resource content share. Each of the remote WSUS servers should be given change permissions on the root of the shared folder (all standard NTFS permissions except for full control). If the share is created on one of the site systems that will be part of the network load balancing cluster, the site system computer's Network Access account must have change permissions on the root of the shared folder. The user account used to run WSUS Setup should also have these permissions to the share created.
· A SQL Server 2005 database server is installed on this server identified to host the WSUS database.
· The UNC address to be used for the WSUS resource content share:
o \\<FQDN>\WsusContent\
Follow below steps on each SUP server in NLB node
1. Install WSUS 3.0 on the servers using bellow steps.
a. On the Welcome page, click Next.
b. On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.
c. Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.
d. On the Select Update Source page, select the Store updates locally check box and enter the path <Program Files directory>\Update Services. You will use the tool wsusutil.exe to move the content source location to point to the content source share on the Back-End SQL server after the WSUS installation is complete.
e. On the Database Options page, For the first WSUS installation on a server that will be configured to use the NLB cluster, Select Use an existing database server on a remote computer and enter the FQDN of the SQL Server that will host the WSUS database followed by the instance name (if not using the default instance).
Important note: On Second SUP server installation will prompt one more step there we need to select option for use existing database.
f. On the Web Site Selection page, specify whether to use the existing Internet Information Service (IID) Default Web site.
Important: After the WSUS installation completes the Windows Serve Update Services Configuration Wizard Starts, Do not use the wizard to configure the WSUS installation and click Cancel to close the Wizard. All WSUS server configuration is managed from within the Configuration Manager console
2. Add the Software Update Point NLB Network Connection Account to each WSUS Administrators group on the server.
3. Configure Internet Information Services (IIS) to enable content share access.
a. Start, point at All Programs, point at Administrative Tools, and click Internet Information Services (IIS) Manager.
b. Expand <wsus server name>, expand Web Sites, and then expand the Web Site node for the WSUS Web site (either Default Web Site or WSUS Administration).
c. Right-click Content node and click Properties.
d. On the Virtual Directory tab, select the A share located on another computer option for the resource content and fill in the UNC share name with “\\FQDN\Wsus\” as the share.
e. Click Connect As, and enter the user name and password of the Software Update Point Connection account. Click OK to close the Content node properties.
Important: This step must be followed for each of the Front-End WSUS servers.
f. Open a command window and navigate to the WSUS tools directory on the WSUS server: Install Drive\Program Files\Update Services\Tools
g. On the first WSUS server to be configured, at the command prompt, type the following command:
wsusutil movecontent <WSUSContentsharename> < logfilename >
Note: there is a space in between each parameter above.
Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved
h. On the successive WSUS servers to be configured, at the command prompt type the following command:
wsusutil movecontent <WSUSContentsharename> <logfilename> /skipcopy
Ø Tip: To verify that the content move was successful, review the log file created during the procedure and use registry editor to review the HKLM\Software\Microsoft\Update Services\Server\Setup|ContentDir registry key to ensure that the value has been changed to the WSUS content resource location share name you specified.
4. Install SUP points on both the NLB server through SCCM console and refer the following
Configure the Software Update Point Component Properties as follows:
|
Tab |
Property |
Setting |
|
General |
Software Update Point |
Use Network Load Balancing cluster, Port 80, SSL 443 |
|
|
Network Load Balancing Settings |
IP V4 /NLB address |
|
|
Cross Forest Access Account |
SMS service account |
|
|
Allow intranet-only client connections |
Selected |
|
Sync Source |
Source |
Synchronize from upstream update server |
|
Language Settings |
Languages |
Select following languages.
Chinese (Hong Kong S.A.R.), Chinese (People’s Republic of China, Chinese (Taiwan), English, French, German, Italian, Japanese (Japan), Korean, Spanish. |
Additional steps for Native mode configuration only.
1. At the command prompt, change the directory to Install Drive\Program Files\Update Services\Tools.
2. Execute the following command:
wsusutil.exe configuressl <Machine FQDN>
3. Ensure SSL is enabled on the virtual directories listed below:
· ApiRemoting30
· ClientWebService
· DssAuthWebService
· ServerSyncWebService
· SimpleAuthWebService
4. Ensure SSL is not enabled on Content virtual directory.
Monitor WCM.log and WSYNCMGR.log to ensure WSUS sync is done successfully.
Additional info
In case of WSUS un-installation in NLB
To uninstall WSUS on first NLB node server, perform the following steps:
1. Log on to the NODE server.
2. Execute WSUSSetup.exe. The Windows Server Update Services 3.0 Setup Wizard appears.
3. Select to remove only logs and click the Next button.
4. When done, click the Finish button.
5. Reboot the server to remove any files in process.
To uninstall WSUS on Second NODE server, perform the following steps:
1. Log on to the NODE server.
2. Execute WSUSSetup.exe. The Windows Server Update Services 3.0 Setup Wizard appears.
3. Select to remove all items (database, logs, and downloaded files) and click the Next button.
4. When done, click the Finish button.
5. Reboot the server to remove any files in process.